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Abstract. We extend symbolic protocol analysis to apply to protocols 
using DifSe-Hellman operations. DifBe-Hellman operations act on a cyclic 
group of prime order, together with an exponentiation operator. The 
exponents form a finite field. This rich algebraic structure has resisted 
previous symbolic approaches. 

We work in an algebra defined by the normal forms of a rewriting theory 
(modulo associativity and commutativity). These normal forms allow 
us to define our crucial notion of indicator, a vector of integers that 
summarizes how many times each secret exponent appears in a message. 
We prove that the adversary can never construct a message with a new 
indicator in our adversary model. 

Using this invariant, we prove the main security goals achieved by several 
different protocols that use Diffie-Ifellman operators in subtle ways. 
We also give a model-theoretic justification of our rewriting theory: the 
theory proves all equations that are uniformly true as the order of the 
cyclic group varies. 



1 Introduction 

Despite vigorous research in symbolic methods for cryptographic protocol analy- 
sis, many gaps and limitations remain. While systems such as NPA-Maude [17], 
ProVerif [d], CPSA [:>:!], and Scyther [12] are extremely useful, great ingenuity 
is still needed — as for instance in [29] — to analyze protocols that use fundamen- 
tal cryptographic ideas such as DifBe-Hellman key agreement (henceforth, DH) . 
Moreover, important types of protocols, such as implicitly authenticated key- 
agreement, appear to be out of reach of known symbolic techniques. Indeed, for 
these protocols, computational techniques have also led to considerable contro- 
versy, with arduous proofs that provide little confidence [25,27,28,31]. 

In this paper we present foundational results and a new analysis technique 
that together expand the range of applicability of symbolic analysis. In prepa- 
ration for stating our contributions we remind the reader of the basics of the 
Diffie-Hellman key exchange [13]. In the protocol's original form, the principals 
A, B agree on a suitable prime p, and a generator 1 < g < p such that the powers 
of g form a cyclic group of some large prime order q. For a particular session, A 
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and B choose random values x, y respectively, raising a base g to these powers 
mod p: 

A,x B,y (1) 

They can then both compute the value (g^)^ — g^"^ — {g^Y (modulo p, as we 
will no longer explicitly repeat). We can regard g^^ as a new shared secret for 
A,B. This is reasonable because of the Decisional DifBe-Hellman assumption 
(DDH), which is the assumption that is indistinguishable from the we 
would get from a randomly chosen z, for any observer who was given neither 
X nor y. The protocol is thus secure against a passive adversary, who observes 
what the compliant principals do, but can neither create messages nor alter (or 
misdirect) messages of compliant principals. 

However, an active adversary can choose its own a;',y', sending to A 
instead of g^, and sending to B instead of 5^. Now, each of A,B actually 
shares one key with the adversary, who can act as a man in the middle, re- 
encrypting messages in any conversation between A and B. Various protocols 
have been proposed to achieve a range of security goals in the presence of an 
active attacker, such as implicit authentication, forward secrecy, and preventing 
impersonation attacks. In Section 2 we describe some of these protocols. 

The algebra of the structures on which DH protocols operate has been an 
obstacle to analyzing them These structures are cyclic groups of some prime 
order g, together with an exponentiation operator. The exponents are integers 
modulo the prime g, which form a field of characteristic q. We will call such 
structures DH- structures. The algebraic richness of DH-structures has resisted 
full symbolic formalization, despite substantial steps for subalgebras [17,26,29]. 

In this paper, we make five contributions. 

1. We represent security goals as logical formulas about transmission and re- 
ception events, together with freshness and non-compromise assumptions. 
These clean, structural definitions are easy to work with, in contrast with 
the procedural notations prevalent among cryptographers. They are based 
on strand spaces [21, ■-) ')] as a model of protocol execution. 

2. We give a new treatment of the values used for DH exchanges. These values 
are characterized by a set of equations, namely the equations s — t that are 
valid in infinitely many DH-structures. In fact, we prove that if an equation 
holds in infinitely many DH-structures then it holds in all of them. 

a. Using an ultraproduct construction, we build a single model M^j that re- 
alizes precisely those equations true in all (equivalently, infinitely many) 
DH-structures. (Theorem 20) 

b. We define an equational theory AG" that can be presented by a rewrite 
system that is terminating and confluent modulo associativity and com- 
mutativity (Theorem 1). Furthermore, for all equations s = t, AG" 
rewrites s and t to the same normal form if and only if s = t is true 
in JAd for all values of its free variables (Theorem 20). The normal 
forms of this rewrite system represent the messages. 
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3. The theory of DH-structures suggests an adversary model (Section 5). The 
uniformly algebraic adversary is the Dolev-Yao adversary augmented with 
the functions in the signature of DH-structures. These functions are gov- 
erned by the equations s — t derivable in AG". Thus — given the correspon- 
dence between AG" and truth in DH-structures — the adversary can rely on 
any equation that, as the size of the underlying cyclic group grows, is valid 
infinitely often. 

4. Using the AG" normal forms, we define the indicators of a message. Indi- 
cators count occurrences of secret values in exponents. We prove that the 
adversary cannot create a message with a new indicator. If the adversary 
transmits a message with a particular indicator, then it must have received 
some message with that indicator previously (Theorem 5). This invariant 
extends the Honest Ideal theorem [.j-j] to the algebra AG". It is our primary 
proof method. 

5. To illustrate the power of our method, we prove about a dozen different 
security goals for three protocols (Sections 7 and 8). These implicitly au- 
thenticated DH protocols have previously resisted attempts to give concise, 
convincing proofs of the goals they achieve. We also use our method to show 
why certain protocols do not meet some goals, matching the relevant attacks 
from the cryptographic literature. 

The set of indicators of a message is a set of vectors that count how many 
times uncompromised values appear in exponents. They are a refinement of 
the standard notion of an atom occurring in term, needed since our terms are 
considered modulo equations. For instance, suppose that in some execution, the 
exponents a, 6, x, y are assumed uncompromised, where x, y are ephemeral secret 
values and a, b are long-term secret values. The sequence (a, 6, x, y) determines 
a basis for writing these indicator vectors. 

Relative to this basis, the factor g^^ has indicator (0,0,1,1) because a, & 
appear times each, and x, y appear once each, g^^^ would have indicator 
(0,0, 1, —1), since y appears —1 times, i.e. inverted. The factor g°-^ has indicator 
(1,0, 1,0) since a,x appear once. When we multiply factors, we take unions of 
indicators. Thus, g^v g^^ g°-y g"^^ has indicators 

{(0,0, 1,1), (0,1, 1,0), (1,0, 0,1), (1,1, 0,0)}. 

There is good motivation for protocols in which each non-zero integer in an 
indicator is ±1 [S]. 

In our model, when the indicator basis consists of uncompromised exponents, 
adversary actions never produce any message containing any new indicator (The- 
orem 5). If the adversary transmits a message with some indicator vector v, then 
it previously received some message with that indicator vector v. Only the reg- 
ular, non-adversary, participants can emit messages with new indicators. 

This idea, which is natural and appealing for DH, is challenging to justify, 
which is probably why it is not familiar from the cryptographic literature. Its 
soundness as a proof technique rests on our foundational results concerning DH- 
structures (contribution 2). 
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structure of this paper. We next, in Sec. 2, introduce a few protocols we 
will use as running examples. Sec. 3 introduces the strand space theory, and the 
Sec. 4 presents our equational theory AG". We use strand spaces in Sec. 5 to define 
lADH protocols and the adversary actions. Section 6 proves the key limitative 
theorem on indicators and the adversary. Sec. 7 defines a variety of security goals 
for lADH protocols, and applies the key limitative result to establish these goals; 
the focus shifts specifically to implicit authentication in Sec. 8. Sec. 9 takes a 
model-theoretic point of view on DH-structures and proves completeness of the 
theory AG". In Sec. 10, we comment on some related work and conclude. 



2 Some Protocols of Interest 

We start by describing some illustrative protocols at the level of detail typically 
seen in the literature. In order not to prejudice ourselves in evaluating possi- 
ble attacks, we will write Rb for the public value that A receives, purportedly 
from B, rather than writing g^, since no one yet knows whether it is the same 
value that B sent. We likewise write Ra for the public value that B receives, 
purportedly from A. The participants hope that Ra = g'^ and Rb = ■ 

The Station-to-Station protocol [14] authenticates the Diffie-Hellman ex- 
change by digital signatures on the exchange. In a simplified STS, the exchange 
in Eqn. 1 is followed by the signed messages: 

A • ^ ^ • B (2) 

The signatures^ exclude a man in the middle, assuming some public key infras- 
tructure to certify sk(^), sk(i?). The costs of STS includes an additional message 
transmission and reception for each participant, in each session. Moreover, each 
participant must also prepare one digital signature and also verify one digital 
signature specifically for that session. There is also a privacy concern, since the 
signatures publicly associate A and B in a shared session. 

An alternative to using per-session digital signatures is implicit authentica- 
tion [5]. Here the goal is to ensure that any principal that can compute the 
same value as A can only be B, and conversely. To implement this idea, each 
principal maintains a long-term secret, which we will write as a for principal A, 
and as b for B; they publish the long-term public values g°',g^, which we will 
refer to as Ya,Yb, etc. The trick is to build the use of the private values a, b into 
the computation of the shared secret, so that only A, B can do it. In the "Uni- 
fied Model" DM of Ankney, Johnson, and Matyas [2], the principals combine 
long term values with short term values by concatenating and hashing. They 
send only the messages shown in Eqn. 1, and then — letting H{x) be a hash of 
X — compute their keys: 

A: k = H{Yb^ II Rb^ B: k = HiYA^ \\ Ra""), (3) 



We write t \\ t' for the concatenation of t with t' . A digitally signed message |t]sk{A) 
means t \\ s\g{H (t) , sk{A)) , where sig is a signature algorithm, H{t) is a hash of t, 
and sk(A) is a signing key owned by A. 



4 



obtaining the shared value H{g"'^ \\ g^^) if Ra ~ and Rb = g^ ■ Again, pubhc 
key infrastructure must associate the pubhc value Yp with the intended peer P. 
However, no digital signature is generated or checked specific to this run. If A has 
frequent sessions with _B, A can amortize the cost of the certificate verification 
by keeping Yg in secure storage. 

Menezes-Qu-Vanstone (MQV) [ !()] relies only on algebraic operations. MQV 
computes the key via the rules: 

A : fc = (i?B •Ys'^''')'-^ B : k^{RA-YA^^'''^y'' (4) 

where Sa = cc + a[i?^] and sb — y + b[RB] - The "box" operator coerces numbers 
mod p to a convenient form in which they can be used as exponents. In the 
literature this is written in the typographically more cumbersome form of a bar, 
as Rb- In a successful run, A obtains the value 

(^gV . [g^)'l3'']yA ^ (^g(y+fc[5''])-)(3:+a[g"]) ^ gisB-SA) ^5") 

and B obtains g*^"^, which is the same value. MQV differs from UM only in 
the function that the principals use to compute the key. MQV's key computation 
makes it algebraically challenging to model and to analyze. Controversy about 
its security remains [25,27,28,31]. 



3 Background: Strand Spaces 

In this paper, we adopt the strand space formalism, although allowing messages 
to form more complex algebraic structures than in earlier papers, e.g. [21,35]. 

Strands. A strand is a sequence of local actions called nodes. A node may be 
either: 

— a message transmission; 

— a message reception; or else 

— a neutral node. Neutral nodes are local events in which a principal consults 
or updates its local state [22]. 

If n is a node, and the message t is transmitted, received, or coordinated with 
the state on n, then we write t — msg(n). We write bullets • for transmission and 
reception events and circles o for neutral events, involving only the local state. 
Double arrows indicate successive events on the same strand, e.g. o => • =► •. 

Each strand is either a regular strand, which represents the sequence of local 
actions made be a single principal in a single local session of a protocol, or else 
an adversary strand, which represents a single action of the adversary. 

A protocol is a set of regular strands, called the roles of the protocol. We 
assume that every protocol contains a specific role, called the listener role, which 
consists of a single reception node n —-^ •. We use listener strands to provide 
"witnesses" when msg(n) has been disclosed, especially to specify confidentiality 
properties. 
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Adversary strands consist of zero or more reception nodes followed by one 
transmission node. They represent the adversary obtaining the transmitted value 
as a function of the values received; or creating it, if there are no reception 
nodes. All values that the adversary handles are received or transmitted; none 
are silently obtained from long-term state. In fact, allowing the adversary to use 
neutral nodes — or strands of other forms — provides no additional power. (See 
Section 6.) 

We regard the messages transmitted and received on • nodes, and obtained 
from long-term state on neutral nodes o, as forming an abstract algebra. Con- 
catenation and encryption are operators that construct values in the algebra 
from a pair of given values, and we regard vq \\ vi as equal to uq \\ ui just in case 
vq — Uq and vi — ui. Similarly, {|fo|}i,i equals {|wo|}ui just in case vq = uq and 
vi = ui. That is, they are free operators. For our present purposes, it suffices to 
represent other operators such as hash functions and digital signatures in terms 
of these. 

The basic values that are neither concatenations nor encryptions include 
principal names; keys of various kinds; group elements x, x ■ y, and g^; and text 
values. We regard variables ( "indeterminates" ) such values distinct from 

values of other forms, e.g. products z ■ y, oi from other variables. A variable 
represents a "degree of freedom" in a description of some executions, which can 
be instantiated or restricted. It may also represent an independent choice, as A's 
choice of a group element x to build is independent of B's choice of y. DH 
algebras are defined later in this section as the normal forms of an AC rewriting 
system. 

Ingredients and origination. A value ti is an ingredient of another value 
written ti C ^2, if ti contributes to ^2 via concatenation or as the plaintext of 
encryptions: C is the least reflexive, transitive relation such that: 

tlQti\\t2, t2\=ti\\t2, tlt{|il|}t,. 

By this definition, t2 E {|^i|}t2 implies that (anomalously) t2 C ti. For basic 
(non-encrypted, non-concatenated) values a, h, we have a C iff a = &. 

A value t originates on a transmission node n if t C msg(n), so that it is an 
ingredient of the message sent on n, but it was not an ingredient of any message 
earlier on the same strand. That is, m ^+ n implies t % msg(m). 

A basic value is uniquely originating in an execution if there is exactly one 
node at which it originates. Freshly chosen nonces or DH values 17^ are typically 
assumed to be uniquely originating. 

A value is non- originating if there is no node at which it originates. An un- 
compromised long term secret such as a signature key or a private decryption 
key is assumed to be non-originating. Because adversary strands receive their 
arguments as incoming messages, an adversary strand that encrypts a message 
receives its key as a message, thus originating somewhere. Decryption and sig- 
nature creation are similar. 

The set of non-originating values is denoted non; the set of uniquely origi- 
nating values is denoted unique. 
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Very often in DH-style protocols unique origination and non-origination are 
used in tandem. When a compliant principal generates a random x and transmits 
g'", the former will be non-originating and the latter uniquely originating. 

Executions are bundles. The strand space theory formalizes protocol execu- 
tions by bundles. A bundle is a directed, acyclic graph. Its vertices are nodes on 
some strands (which may include both regular and adversary strands). Its edges 
include the strand succession edges ni n2, as well as communication edges 
written m — >■ n2- Such a dag 23 = {V,E^ U E^) is a bundle if it is causally 
self-contained, meaning: 

— If 712 G y and ni n2, then ni €V and (rii, 712) € E^; 

— If n2 e y is a reception node, then there is a unique transmission node 
rii G y such that msg(n2) = msg(ni) and (ni,n2) G E^; 

— The precedence ordering for 23, defined to be {E^ U E^)* , is a well- 
founded relation. 

The first clause says that a node has a causal explanation from the occurrence 
of the earlier nodes on its strand. The second says that any reception has the 
causal explanation that the message was obtained from some particular trans- 
mission node. The last clause says that causality is globally well-founded. It 
holds automatically in finite dags 23, which are the only ones we consider here. 

When we assume that a value is non-originating, or uniquely originating, we 
constrain which bundles 3 are of interest to us, namely those in which the value 
originates on no node of 3, or on one node of 3, respectively. 

4 An Equational Theory of Messages 

As described in the Introduction, our challenge is to define an equational theory 
that captures the relevant algebra of DH structures and admits a notion of 
reduction that supports modeling messages as normal forms. By the Decisional 
Diffie-Hellman assumption, an adversary cannot retrieve the exponent x from a 
value that a regular participant has constructed. This limitation is reflected in 
our formalism in a straightforward way. Namely, we do not provide a logarithm 
function in the signature of DH-structures. 

In addition we must confront the fact that the exponents in a DH structure 
form a field, and fields cannot be axiomatized by equations. 

Our strategy is as follows. We work with a sort G for base-group elements 
and a sort E for exponents. The novelty is that we enrich E by adding a subsort 
NZE whose intended interpretation is the non-0 elements of E. 

The device of expressing "non-zero" as a sort fits well with the philosophy of 
capturing uniform capabilities algebraically. For instance no term which is a sum 
€1+62 will inhabit the sort NZE because each finite field has finite characteristic 
and so there may be instantiations of the variables in ei + 62 driving the term 
to 0. On the other hand, we will want to ensure that NZE is closed under 
multiplication; this is the role of the operator ** below. 
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Sorts: G, E, and NZE, with NZE a subsort of E; 



1 :^ G 



■■.GxG^G 



+ , * : E X E ^ E 
1 :^ NZE 



inv : G -> G 



I : NZE NZE 



exp ■ : G X E ^ E 
box:G^ NZE 



** : NZE NZE 



Table 1. The signature for AG" 



We show in this section that AG* admits a confluent and terminating notion 
of reduction. In section 9 we prove a theorem that describes the sense in which 
AG" captures the equahties that hold in almost all finite prime fields. 

Definition 1. The theory AG" is the equational theory comprising the sorts and 
operation given in Table 1 and the equations given in Table 2. We write box(t) 
as [t], and we write exp{t,e) and . 

We next construct an associative-commutative rewrite system from AG*. We 
orient each equation in Table 2 in the left-to-write direction, except for the 
associativity and commutativity of •,+, and * . Confluence requires the new 
rules shown in Table 3, corresponding to equations derivable from AG" that are 
needed to join critical pairs. 

Definition 2. Let R be the set of rewrite rules given in Table 2 — read from 
left to right, but without associativity and commutativity — and in Table 3. The 
rewrite relation -^ag~ is rewriting with R modulo associativity and commutativity 
of ■,+, and * . 

Theorem 1. The reduction — >aG" is terminating and confluent modulo AC. 

Proof. Termination can be established using the AC-recursive path order defined 
by Rubio [34] with a precedence in which exponentiation is greater than inverse, 
which is in turn greater than multiplication (and 1). This has been verified with 
the Aprove termination tool [19]. 

Then confluence follows from local confluence, which is established via a 
verification that all critical pairs are joinable. This result has been confirmed 
with the Maude Church- Rosser Checker [1">]. 

Terms that are irreducible with respect to — s-ag" are called normal forms. 
The following taxonomy of the normal forms will be crucial in what follows, 
most of all in the definition of indicators, Definition 4. The proof is a routine 
simultaneous induction over the size of e and t. 
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iE,+,0,-, 
is a commutative unitary ring 


(G, ■, inv, 1) 
is an abelian group 


{x + y) + z = X + {y + z) 
X + y = y + X 


{a ■ b) ■ c = a ■ {b ■ c) 


X + = X 


a ■ b = b ■ a 


X + {-x) = 


6-1 = 6 


{x * y) * z = X * {y * z) 


b ■ inv{b) = 1 


X * y — y * X 
X * {y + z) = {x * y) + {z + z) 

X * 1 = X 


Multiplicative inverse, closure 
at sort NZE 


Exponentiation makes G 
a unitary right iJ-module 


U ** V = U * V 

i{u * v) = i{u) * i{v) 
= 1 

i(i(w)) = w 


[a )" = a " 
1 

a = a 
{a ■ by ^a"" -b"" 

^(x + y) ^ ^x . 

= i 



Table 2. The theory AG 



Lemma 1. 1. If e : E is a normal form then e is a sum mi + . . . + rn„ where 
(i) each nn is of the form ei * . . . * ek k > 0, (ii) no Ci is of the form 
i{ej), and (Hi) each e, is one of: 

X, i{x), [t], i{[t]) 

with X a G-variable and t : G a G-normal form. 

The case n — is taken to m,ean e = 0; the case k = is taken to mean 
rui = 1 We call terms of the form rui irreducible monomials 
2. Ift:Gisa normal form then t is a product ti ■ . . . -tn, n>0 where 
(i) no ti is of the form inv{tj), and (ii) each ti is one of: 

V inv{v) inv{v^) 

with V a G-variable e : E an irreducible monomial. 
The case n = is taken to mean t = 1. 



5 Formalizing the Protocols and the Adversary 

Wc consider a collection of protocols that all involve the same strands, i.e. se- 
quences of transmissions, receptions, and neutral events. They differ almost ex- 
clusively in the key computations used to generate the shared secret. 
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At sort G 




At sort E 




inv{l) - 


1 


-(0) - 


^ 


inv{a ■ b) - 


-¥ inv[a) ■ invih) 


-{x + y) - 




inv{inv{b)) - 


^ b 


-(-W) - 


X 


(mt;(a))"^ - 




* a; - 


■> 




a 


^ 1 


-(a;) *y - 


-{x*y) 


-(x) 


inv[a^) 






a ^ ' - 







Table 3. Additional rewrite rules for — )-ag' 



CB d(A,S) 
A) 



CP = [cert Yp \\ P],k{CA) P') = keyrec P || P' |[ if 

Fig. 1. lADH Initiator and Responder Strands 



MQV and UM [ ] both fit our pattern. Various other protocols fit this pattern 
with some cajoUng. KEA [ ] fits the pattern too, ahhough its key eomputation 
uses addition mod p to combine g"^ and g''^ . Cremers-Feltz's protocol CF [ ], in 
which the shared secret is g(^+'^)'^y+''\ almost fits: They use the digitally signed 
messages |i?Alsk(A) and lRB]sk{B)- Our analysis is equally applicable in this 
case. 

In these protocol descriptions, we make explicit aspects that are normally 
left implicit. One is the interaction with the certifying authority. Kaliski 
argues that the certification protocol should be considered in analysis, because 
the correctness of forms of a protocol may depend on exactly what checks a CA 
has actually made. We will also show how the local session interacts with the 
local principal state. 

The lADH initiator and responder roles. We summarize the activities of 
regular initiators and responders in Figure 1. We specify, for the initiator A: 

1. A retrieves its principal name A, its long term secret a, and its public cer- 
tificate CA from its secure storage. 

2. A chooses a fresh ephemeral x, transmitting Ra — ■ 

3. A receives some Rb, which it checks to be a non-trivial group element, i.e. a 
value of the form g^ for some y ^ 0,1 mod q. 
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4. It receives a certificate cb associating Yg with B's identity. We do not specify 
fiere fiow tlie participant determines wliat name B to require in tfiis certifi- 
cate, or how it determines which CAs to accept. This is implementation- 
dependent. 

5. Finally, A performs the protocol-specific key computation to determine K. 
A checks the exponentiations yield non-1 values, and fails if any do. On 
success, A deposits a key record into its local state database, so that K may 
be used for a secure conversation between A and B. 

In clause 2, A chooses x freshly. Because A never sends x as an ingredient in any 
message — but only — it follows that x has negligible probability of occurring 
in a message. After all, A does not send it; any other regular participant is 
overwhelmingly unlikely to choose the same value again; and the adversary is 
overwhelmingly unlikely to choose it, e.g. as a guess. For this reason we model 
X as being "non-originating" ; for the same reason, is declared to be uniquely 
originating. 

We always add the assumptions that x is non-originating and g^ is uniquely 
originating whenever a regular strand selects Ra — g^ ■ In particular, since x 
is a fresh, unconstrained choice that the principal makes, we always instantiate 
it with a simple value, essentially a parameter, and never with a compound 
expression like y ■ l/z. Essentially, a; is a generator of the algebra of normal 
forms of AG". 

A responder B behaves in a corresponding fashion, with predictable changes 
to the names of its parameters. The only real change is that it receives an 
ephemeral public value Ra in step 2 before generating its ephemeral secret y 
and transmitting its ephemeral public value g^ in step 3. We will assume that y 
is non-originating and g^ is uniquely originating whenever a regular responder 
strand selects Rb = 9^ ■ 

The parameters to an initiator strand are A, B, a, x, Yb, Rb- We write them 
in this order, and refer (e.g.) to the fourth parameter as x, despite the fact that 
in different instances of the role have different choices for the parameter x. The 
parameters to a responder strand are A, B,b,y,YA, Ra', thus, we will write the 
(purported) initiator's name first, and the (actual, known) responder's name 
second. 

We make an assumption on the principal states, namely that the node o A, a, ca 
starting an initiator or responder strand is possible only if the same principal 
A has on some earlier occasion received a certificate ca, and deposited it into 
its state. Certificates do not emerge ex nihilo. Gathering our assumptions on 
regular initiator and responder strands: 

Assumption 2 Suppose that 23 is a bundle. 

1. If H contains an initiator strand s with parameters A, B, a, x, Yb, Rb, then: 

a. X is non- originating, and g^ is uniquely originating. 

b. X is a parameter, not a compound expression. 

c. For some transmission node n G 'B , ca Q rnsg(n) and n si, where Si 
is the first node on strand s. 
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2. Symmetrically for responder strands s in 23, with parameters A, B, b, y, Ya, Ra: 

a. y is non- originating, and is uniquely originating. 

b. y is a parameter, not a compound expression. 

c. For some transmission node n € H, cb ^ msg(n) and n si, where 
si is the first node on strand s. 

Our results do not depend on the specific ordering of events in initiator and 

responder strands. As long as the neutral node retrieving the long term secret 
and certificate occurs before any of the other events, and as long as the neutral 
node depositing the K into the state occurs only after the other event, then 
our results remain correct. They also do not distinguish between initiator and 
responder strands: We would allow two initiator strands to succeed in implicit 
authentication, for instance. 

Key computation functions. The shared secret K is generated using differ- 
ent functions in different lADH protocols. In the Unified Model UM, the key is 
generated by 

A: k = H{Yb'' II B: k = H{Ya' \\ Ra") (6) 

In the optimistic case that Ra = 5^ and Rb = g^ 

K = Hig'^" II g^y) (7) 

In MQV the key is generated by 

A: K = {Rb -Yb^^^^Y^ B : K = {RA-YA^^^^y (8) 

(where sa = {x + a[g^]) and sb = {y + blg^])), so when Ra = g^ and Rb = g^ 
the principals compute 

The key computation for Cremers-Feltz CF — somewhat simplified to make it 
more parallel to the UM and MQV computations — is: 

A: K={Rb- Yb)*"+''^ B: K = {Ra ■ Fa)^''+^^ (10) 
so that, in the same optimistic case, 

(^gV . gb'^ix+a) _ g(y+b){x+a) _ gXy . gXb . gVa . gab ^-^-^^ 

The occurrences of a,b,x,y in these terms show us a contrast between UM 
and the other two. In the latter, all four pairs consisting of one parameter from 
a, X and one from 6, y, appearing together, may be found in the exponent of some 
factor of the final shared secret. However, in UM, only two of these pairs appears. 
This suggests that UM is more fragile than the latter two, and this explains why 
it is vulnerable to key compromise impersonation while the others are not. 
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Fig. 2. Strands for Certificate Requests 



In Section 9, we will develop an algebraic theory to justify this kind of anal- 
ysis. 

Requesting and issuing certificates. We also identify protocol roles for 
requesting certificates from certificate authorities, and for the CAs to issue them 
(Fig. 2). The client makes a request with its name P and public value Yp, and, 
if successful, receives a certificate which it deposits into its local state. In its 
request, a compliant principal named P always chooses a fresh long-term secret 
a, and computes Y = g". The CA, on receiving a request, issues a certificate 
after a "proof of possession" protocol pop intended to show P possesses an a 
such that g"" = Y. We will not make pop explicit. 

We assume, whenever a bundle contains a regular certificate request, that 
its = y is uniquely originating. Any subsequent use of Y must obtain it 
through some sequence of message transmissions and receptions tracing back, 
ultimately, to this originating node. We will not, however, always assume a is 
non-originating, since carelessness or malice may eventually lead to the disclosure 
of a. Instead, if a particular a is non-originating, we will explicitly state that as 
a hypothesis in the security goals that depend on it. 

We assume the CA is uncompromised, i.e. sk(CA) G non. CA, when receiving 
Y, should ensure that Y ^ g^,g^, and that it is a member of the group (e.g. via 
the little Fermat test). Hence, there is an e such that Y — g"^. 

Moreover, a successful pop means that the requester possesses an exponent e 
such that Y = g'^. The requester is either a regular participant or the adversary. 
Thus, either: 

— e is some parameter a, and 5° originates uniquely on a certificate request 
strand; or else 

— the request comes from an adversary strand, and e is available to the adver- 
sary. 

We will model the latter by assuming that the bundle containing this certification 
generation strand also contains a listener strand n =^ • with msg(rt) ~ e. 

Assumption 3 Let H he a bundle containing |cert Y \\ P]sk(CA)- Assume 
sk(CA) G notis, and moreover: 

1. For a certificate request strand, with parameters P, a, CA.- 
a. (7° originates uniquely; 
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b. a is a parameter, not a compound expression. 
2. For a CA strand, with parameters P, Y, CA; 

a. There exists an e ^ 0,1 such that Y = g'^ ; 

b. Either Y — g° where g°' G unique^, and g° originates on a regular 
certificate request strand, or else there exists n £ 23 with msg(n) — e. 

By Clause 2b, if a e notis, then for at most one P can a certificate |cert g"" \\ 
-P]sk(CA) be issued. The iadh protocols are defined by the four roles shown in 
Figs. 1-2, using a key computation such as those in MQV, UM, and CF. 

The Adversary. An adversary strand has zero or more reception nodes fol- 
lowed by a transmission node: 

Definition 3. Adversary strands take the forms: 

— Emission of a basic value a: (+a) 

— Constructor strands: (— ai =>...=> — a„ => +t) where is t is in Gen(ai, . . . , a„) 

— Destructor strands: {—t => +si . . . +s„) where t is a concatenation of the 
values Si. 

— Encryption strands: {—K ^ —t ^ +{1^1} if) 

— Decryption strands: {—K^^ => — => +t) 

Suppose that Si, . . . , Sk are node-disjoint adversary strands. An adversary web ['21 J 
using Si, . . . ,Sk is an acyclic graph whose vertices are the nodes of the Si, where 
for each edge {n,n'), either (i) n n' on some strand or (ii) n is a transmission 
node, n' is a reception node, and msg(n) — msg(n'). 

This adversary model motivates a game between the adversary and the system: 

1. The system chooses a security goal <P, involving secrecy, authentication, key 
compromise, etc., as in Figs. 3-6. 

2. The adversary chooses a potential counterexample A consisting of regular 
strands with equations between values on the nodes, e.g. an equation between 
a session key computed by one participant and a session key computed by 
another participant. 

3. To show that A can occur, the adversary chooses how to generate the mes- 
sages in A. 

For each message reception node in A, the adversary must provide an accept- 
able message in time for that event. The adversary benefits from transmission 
events on regular strands, which he can use to build messages for subsequent 
reception events. For each reception node, the adversary chooses a recipe, 
consisting of an adversary web, using the strands of Def. 3. 
This map — which, to every message reception event, associates an adversary 
web — is the adversary strategy. 

The adversary strategy determines a set of equalities between a value com- 
puted by the adversary and a value t "expected" by the recipient, or accept- 
able to the recipient. They are the adversary's proposed equations. 

4. The adversary wins if his proposed equations are valid in {Gq,Fq), for in- 
finitely many primes q. 



14 



This game may seem too challenging for the adversary. First, it wins only if 
the equations are valid, i.e. true for all instances of the variables. However, 
the adversary's proposed equations determine polynomials, and each of these 
polynomials has a syntactically determined degree d. If it is not valid, it can 
have at most d solutions, independent of the choice of {Gg,Fq). Hence, the set 
of values for which the adversary's strategy works remains small, regardless of 
how the cardinality of the structure (G,, Fg) grows. 

Second, the adversary must choose how to generate all the messages, its ad- 
versary strategy, before seeing any concrete bitstrings, or indeed learning the 
prime q. This objection motivates future research into the computational sound- 
ness of our approach. The hardness of DDH seems to suggest that the adversary 
acquires no useful advantage from seeing the values etc. Any definite claim 
would require a reduction argument. 

6 Indicators 

We turn now to a formal definition of indicators and the proof of a key invariant 
that all adversary actions preserve. 

Let Z*^ denote the set of all fc-tuples of integers. For intuition about the 
following definition, think of N as being a set of non- originating values for a 
bundle. If m is a monomial occurring as a subterm of a term t, say that m is 
"maximal-monomial" if t has a subterm of the form 6"*. 

Definition 4 (Indicators). Let N = {vi, . . . , Vd) be a vector of NZE-variables. 
If m is an irreducible monomial, the A^- vector for m is {zi, . . . , Zk) where Zi is 
the multiplicity of Vi in m, counting occurrences of i{vi) negatively. 

If e ~ nil + . . . + mk is a term of type E, then e is AT- free if each mi has 
N -vector (0, ... ,0). 

When to is any base term in normal form, then IndAr(fo) is the set of all 
vectors z such that z is the N -vector of m, where m is a maximal-monomial 
subterm ofto- 

Ift = ti II t2, then IndAr(t) = Indjv(fi) UlndAr(t2). 

Ift = {I*ifrt2; then Indjv(i) = Indjv(ti). 

Thus, IndAr(f) for a compound term t is the union IJIndjv(io)) taking the union 
over all the base terms to that are ingredients of t, i.e. to E t. 

Example: For A^ = (x, y), if t is 

i{v) . g^^ig"] . gXx[gy]^ 

then IndAr(t) = {(1, — 1), (1, 0), (2, 0)}. The boxed values do not contribute to 
the indicators. 

Since we often encounter indicators with no non-zero entries, we will write 
for this indicator (0, . . . ,0). We will also write l^,, l^, etc., for the indicator 
that has a single 1 in the position for that parameter, e.g. for (0,0,1,0) and 
(1,0,0,0) if the parameters are a,b,x,y in that order. Every message sent in 
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lADH protocols is of this form: All the indicator weight is concentrated in at 
most a single 1. A message g'^ with c ^ non has indicator 0. 

Since the union UlndAr(to) is over all the ingredients to C t, it does not 
include values used only as keys in encryptions. Thus, a protocol may compute a 
secret such as g^^ with an indicator (0, 0, 1, 1) = l^^ + 1^, and then applies a key 
derivation function, obtaining k = kdf(g(^^). If participants then send encrypted 
messages {|ti|}fc, then it has not transmitted a message with indicator 1^ + ly. 

Definition 5. Let T = {ti, . . . , tk} be a set of terms. The set Gen(T) generated 
by T is the least set of terms including T and closed under the term-forming 
operations. 

The term-forming operations cannot cancel to reveal avi £ N: 

Theorem 4. Suppose T is a collection of terms such that every e G T of sort 

E is N -free. Then 

1. every e € Gen(T) of sort E is N-free, and 

2. ifuG Gen(T) is of sort G and z G Ind(u) then for some t €T, z G Ind(t) . 

Proof. By induction on operations used to construct terms from elements of T. 

The interesting cases are when u is of the form uiU2 or t^ where t, Ui, U2 
and e are each normal form terms in Gen(r). 

In the first case, then, u is a product 

tl ■ . . . ■ tn 

where each factor comes from ui or U2 • Since each ti is of the form v , inv {v),v^, or 
the normal form of this term results by canceling any factors (from different Ui) 
that are inverses of each other. No new ii^-subterms are created, so no new indi- 
cator vectors are created, and our assertion follows. 

The other case is when uist^. Note that since e is in Gen(T) we know that e 
is N-hee. It suffices to show that Ind(t^) = Ind(t). Letting t be in normal form, 
is 

{tir-...-{tnr 

Each {tiY is of the form 

{t{v)y {v^'y {mv{v^')y 

The first two terms are A^-free. The second kind of term reduces to v*^ * , and 
the indicator set for this term is precisely Ind(e) since e' is N-iiee. The last term 
reduces to inv{v'^ * and wc can argue just as in the previous case. 

The cases for concatenation and encryption are immediate from the induction 
hypothesis, since they simply propagate indicator vectors. 

An Adversary Limitation. Wc justify now our central technique, that the 
adversary cannot generate messages with new indicators, using variables of sort 
E that are non- originating before node n. 
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Definition 6. A basic value a is non-originating before n in bundle 2? if, for 
all n' ^3 n, a does not originate at n' . 

The indicator basis IB's.{n) of node n, where n is a node ofB, is the set: 

{a of sort E: a is non- originating before n}. 

We assume IB's (n) is ordered in some conventional way. 

Theorem 5. Let W be an adversary web of H, and let n be a transmission 
node of W , and let N be a sequence of elements drawn from IBs(«). If v £ 
IndAr(msg(n)), then there is a regular transmission node n' n inT) such that 
V G IndAr(msg(n')). 

Proof. Let be the set of messages received on W, and let Tm be the set 
of basic values emitted by W; set T — U Tm- The message u — msg(n) 
is in Gen(T). The set is TV- free, as a consequence of the fact that every 
message received on W must have originated, and T^v/ is TV-free since it is a set 
of basic values not in (indeed, each term in Tm has an empty indicator set). 
So Theorem 4 applies. Since each t £ Tm has empty indicator set we conclude 
that every indicator in u comes from a message in Tr, as desired. 

In lADH protocols, every message from regular participants has indicators in 
{0}, {la}, {Ifc}, {Ix}, {ly}, etc. Since the adversary can never transmit a mes- 
sage with any indicators he has not received, no messages with other indicators 
will ever be sent or received. Messages encrypted using keys derived from Difhe- 
Hellman values preserve this property. Using Thm. 5 and Assumption 3, 2b: 

Corollary 1. LetH be a bundle for an lADH protocol using certificates |cert g"" \\ 
-P]5k(CA) o,nd I cert g" \\ ^"Isk(CA)- If o, ^ non-s and Ind(a)(a) 7^ 0, then a = e 
and P = P'. 

7 Analyzing lADH Protocols 

We now embark on analyzing iadh protocols, focusing on UM, MQV, and CF. We 
aim to illustrate the way that our algebraic tools — normal forms and indicators — 
work together with the more familiar tools of symbolic protocol analysis. These 
are notions such as causal well-foundedness that are basic to strand spaces. We 
start with properties for which the indicators bear the main burden. In Section 8 
we turn to implicit authentication. It requires subtler proofs, which are more 
sensitive to the details of the key computation. 

We believe that our presentation of security goals is a contribution in itself. 
They appear to us to be clear distillations of the structural elements in the goals, 
which have often appeared in more cluttered forms — particularly obscured by 
more operational ideas — in some of the literature. 

We start though with a useful lemma about the session keys produced by 
regular strands, saying that they always reflect the parameters of that strand. 
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Fig. 3. Key secrecy: This diagram cannot occur 

Lemma 2. Let protocol U be an iadh protocol, hut possibly without Assump- 
tion 2, Clauses la and 2a. 

Suppose H is a U-bundle, and s is a 11 initiator or responder strand with 
long term secret a and ephemeral value x, succeeding with key K : 

n is UM: Ifx e nons, then for K = H{Yb°- \\ Rb'"), we have 1^ e Ind(^)(ii'). 

If a ^ non3 , then !„ G lnd(^a){K)- 
n is MQV: Ifx E nons, then for K ^ (i?^-^^!^^!)"^, we have 1^ e lnd^^-j{K). 

If a & non3, then 1^ G lnd^a){K)- 
n is CF: If X e nons, then for K — [Rb ■ YbY^°' , we have 1^ G lnd(^^){K). If 

a G non^, then G Ind^^^ (iiT). 

Proof. For UM, a or a; can cancel only if s receives a value Rb or Yb with indicator 
(—1) for a or x, resp. Hence there is some earlier node m on which some message 
with indicator (—1) was transmitted, and let TOq be a minimal such node. 

However, by the definitions, mo is not a regular node, which transmit only 
values with non-negative indicators. By Thm. .5, tuq cannot be an adversary 
node either, when a or a; G non^ resp. 

For MQV, let Rb — g^, where 77 is a possibly compound value the adversary 
may have engineered, and let Yb = g^ . Now K = g^^ ■ g^^ia^ . g^l^la^] . g^Pla^^W] _ 
K may be a-free because g"-^^^ ] a,nd g°'^^s Ks''] cancel. This occurs when ar][g^] = 
—af3[g^][g^], i.e. rj = —f3[g^]. However, in this case x also cancels out, as xr/ = 
—xP[g^]. So the exponent is and K = 1, contradicting the assumption that 
strand s delivers a successful key. 

MQV could also cancel if i?s or Yi, has indicator (—1), but this is excluded 
by the same argument as with UM. 

The argument for CF is the same as for MQV. 

Key Secrecy and Impersonation. In Fig. 3 we present the core idea of key 
secrecy. Suppose that the upper strand s is an initiator or responder run that 
ends by computing session key K. Moreover, suppose that a listener strand is 
present, which receives K. Then, if the long term secrets a,b € non, this dia- 
gram cannot be completed to a bundle 23. This holds even without the freshness 
assumptions on regular initiator and responder strands. 

Security Goal 6 (Key Secrecy) Suppose that H is a 11 -bundle with a,b G 
non^ , and strand s is a 11 initiator or responder strand with long term secret 
parameter a and long term peer public value Y — . Then 25 does not contain 
a listener • if . 
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Theorem 7. Let protocol U be an iadh protocol using any of the key compu- 
tation methods in Eqns. 6, 8, 10, but possibly without Assumption 2, Clauses la 
and 2a. Then U achieves the security goal of key secrecy. 

Proof. For sake of contradiction suppose that • if is in 25. Then K is trans- 
mitted on some node. Computing indicators relative to the basis (a, 6), K has 
indicator (1, 1) (by Eqns. 7-9, 11 and Lemma 2). By Thm. 5, some regular node 
transmits a message with indicator (1, 1). But this is a contradiction, since reg- 
ular strands transmit only values with indicators (0, 0) and, during certification, 
(1,0) and (0,1). 

Curiously, resistance to impersonation attacks concerns the same diagram, Fig. 3, 
although with different assumptions. An impersonation attack is a case in which 
the adversary, having compromised A^s long term secret a, uses it to obtain a 
session key K, while causing A to have a session yielding K as session key. If 
A's session uses Yb — g^, where b is the uncompromised long term secret of B, 
then the adversary has succeeded in impersonating B to A."^ The protocols MQV 
and CF resist impersonation attacks, but DM does not. In this result, we rely 
here on the freshness assumptions on regular initiator and responder strands. 
Assumption 2, Clauses la and 2a. We are in effect trading off an assumption on 
a long term secret for assumptions on the ephemeral values. 

Security Goal 8 (Resisting Impersonation) Suppose that H is a U-bundle 
with b £ nons, and strand s is a 11 initiator or responder strand using ephemeral 
secret x and long term peer public value Y = g^ . Then 23 does not contain a 
listener • K . 

Theorem 9. Let protocol TI be an iadh protocol using either of the two key 
computation methods in Eqns. 8 and 10. Then LI achieves the security goal of 
resisting impersonation. 

Proof. For sake of contradiction suppose that • i^T is in 23. Then K is trans- 
mitted on some node. When we compute indicators relative to the basis (6,x), 
K has indicator (1, 1) (by Eqns. 7-9, 11 and Lemma 2). By Thm. 5 we conclude 
that some regular node transmits a message with indicator (1, 1). But this is a 
contradiction, since regular strands transmit only values with indicators (0, 0) 
and, during certification, (1,0) and (0, 1). 

This argument does not apply to DM, because its key K = H{g°'^ \\ g^^) has 
indicators {(1, 0), (0, 1)} in this basis. Thus, Theorem 5 buys us nothing. In fact, 
UM fails to prevent impersonation attacks. 

Forward Secrecy. Forward secrecy is generally described as preventing disclo- 
sure of the session key of a session, if the long-term secrets of the regular partic- 
ipants in that session are compromised subsequently. We consider two different 

^ By contrast, it is hopeless — when a is compromised — to try to prevent the adversary 
from impersonating A to others. 
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Fig. 4. Weak forward secrecy: This diagram cannot occur 




Fig. 5. Strong Forward Secrecy: Tliis diagram cannot occur 



versions of the forward secrecy property. The first may be caUed weak forward se- 
crecy, and ah of our iadh protocols achieve it. We present weak forward secrecy 
in Fig. 4. Essentially, weak forward secrecy holds because the non-originating 
ephemeral values x, y prevent the adversary from computing the session key. 
Thus, Assumption 2, Clauses la and 2a are essential. 

Security Goal 10 (Weak Forward Secrecy) Suppose that H is a 11 -bundle, 
and strands Si, S2 are distinct U initiator or responder strands, issuing the same 
session key K . Then "B does not contain a listener • <— 

Theorem 11. Let protocol U be an iadh protocol using any of the key com- 
putation methods in Eqns. 6, 8, 10. Then TI achieves the weak forward secrecy 
security goal. 

Proof. Just as for Theorems 7 and 9: in this case compute indicators relative to 
the basis {x, y), and note that K has indicator (1, 1) yet regular strands transmit 
only values with indicators (0,0) and, during certification, (1,0) and (0, 1). 

A stronger notion of forward secrecy stresses the word subsequently. A local 
session occurs, and the compromise of the long term keys happens after that 
session is finished: Can the adversary then retrieve the session key? We formalize 
this idea in a diagram in which the long term secrets a, b are transmitted after 
a session issuing in session key K completes. Moreover, we assume that the 
long term secrets are uniquely originating. This implies that they cannot have 
been used before the session completed, which is exactly the intended force of 
considering a subsequent compromise. 
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Fig. 6. Implicit authentication: In this diagram, A — A' and B = B' 

Figure 5 illustrates this situation. The slanted dotted line separates past from 
future, meaning that any event northwest of the dotted line occurs before any 
event southwest of it. This ordering relation between the end of the strand and 
the point of disclosure is essential to the idea. Also essential is a,b,sk{B) G 
unique, where 5k{B) is B's signing key. MQV and UM do not achieve perfect 
forward secrecy. CF, like the Station-to-Station protocol (Eqn 2), docs, for a 
similar reason. 

Security Goal 12 (Forward Secrecy) Suppose that H is a U-bundle with 
a, 6, sk(i?) £ unique^, and strand s is a 11 initiator or responder strand us- 
ing long term secret a and long term peer public value Y = . Suppose that 
• ^ a,b occurs subsequent to the last reception on s. Then 23 does not contain 
a listener • <— ii'. 

Theorem 13. Let protocol U be the CF protocol, with the ephemeral values 
Ra,Rb signed as \Ra\sW(A) o-i^d. {RbIsW^B)- Then 11 achieves the forward se- 
crecy goal. 

Proof. Since \Rb ]sk(B) is received on a node of s, and there is no compromise 
of -B's signing key until it has been received, there has been a regular node 
transmitting \ Rb ]sk(s)- This follows from the Honest Ideal Theorem [35] or the 
Authentication Test Principle [ ' ']. 

Since a signed value \Rb\s\,.(b) is transmitted only on a regular initiator or 
responder strand, we know that Rb = g^ for some y £ non^. We may now take 
indicators relative to (x, y), and the rest of the proof proceeds as before. 

Given the absence of signed units in MQV and UM, they have no analog to the 
first step of this proof. 

8 The Implicit Authentication Goal 

Implicit authentication has been controversial, with a distinction between "im- 
plicit key authentication" and "resisting unknown key-share attacks" [5,25,30]. 

The essential common idea is expressed in Figure 6. It shows two strands 
that compute the same session key K. One has parameters [A, B\ . . ] and the 
other has parameters [A' ^ S, . . .], where we assume that the parameter for the 
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initiator's name appears first {A, A') and parameter for the responder's name 
appears second {B',B). The authentication property is that the participants 
agree on each other's identities, so that the responder has the correct opinion 
about the initiator's identity and vice versa. 

Imphcit key authentication and resisting unknown key share attacks differ in 
what non-compromise assumptions they make. 

Resistance to unknown key-share attacks is the property that A — A' and 
B — B' whenever a, 6 G non. The weaker assertion, implicit key authentication, is 
that A — A' and B = B' whenever a, 6, a' e non. The additional non-compromise 
assumption is about a', the long term secret of the principal E that B thinks he 
is communicating with: 

by definition the provision of implicit key authentication is considered 
only where B engages in the protocol with an honest entity (which E 
isn't). [. ] 

Law et al. [30] use similar language. Resisting unknown key share attacks is sim- 
pler and more robust, and we will refer to it as implicit authentication (without 
"key"). 

Security Goal 14 (Implicit Authentication) Suppose that Ti is a n -bundle 
with a, b, sk(B) G nons, and strands Si, S2 are U initiator and responder strands 
with parameters [A, B' , a, x,Yb',Rb'] and [A' , B,b,y,YA' , Ra'] resp., where si, S2 
both yield session key K . Then A ^ A' and B ^ B' . 

Weak implicit authentication states that A ~ A' , under the extra assumption 
that there exists an a' G nons such that Ya' — 5° . Symmetrically, B = B' , 
under the extra assumption that there exists a b' G non-B such that Yb' ~ ■ 

We will prove four results. We will show that DM and CF achieve implicit 
authentication. Moreover, MQV achieves weak implicit authentication. Finally, 
(strong) implicit authentication holds for MQV, under an additional assumption. 

Of these protocols, UM allows the simplest proof. 

Theorem 15. UM achieves implicit authentication. 

Proof. Let si,S2 be strands in 23 as in the implicit authentication goal, where 
also a, 6 G nons. Since si receives a certificate |cert Yb' \\ B'\sk(Ck), by Assump- 
tion 3, sk(CA) G nons. Hence, there was a certifying strand that transmitted 
this certificate, and by 3, CI. 2a, Yb' = for some b' . By symmetry, Ya' = 5" ■ 
The key computation, with the injectiveness of || and ensures 5" = 
g°-^ , hence a!b = ab' . Thus, there is some c such that a' = ca and b' = cb. 
Applying Cor. 1, we conclude B' — B. Symmetrically, A' — A. 

Using indicators in a richer way than previously, we obtain: 

Theorem 16. CF achieves implicit authentication, when the strands si,S2 re- 
ceive {Rb-IsHB') and {RA'\sk(A'), and sk{A'),sk{B') G nons- 

^ In the symbolic model, hash functions are modeled as injective. 



22 



xy' xh' y'a ah' 

(0, 0, 1, ?, ?, 1) (?, ?, 1, 0, ?, 0) (1, 0, 0, ?, ?, 1) (1, ?, 0, 0, 0, 0) 

(0, 0, ?, 1, 1, ?) (0, 1, ?, 0, 1, ?> {?, ?, 0, 1, 0, ?) {?, 1, 0, 0, 0, 0) 
x'y x'h ya' a'b 

Table 4. Indicator vectors for CF authentication 



Proof. We start with a,b G nons, and Assumption 2 tells us x, y G nons. Using 
the signatures, there exist regular initiator or responder strands transmitting 
I-Rb' ]5k(S') and {Ra' Isk(A')- Hence, by Assumption 2, Ra' = g^' and Rb' = g'"\ 
where x' ,y' £ non-s and G unique^ . We may also use the certificates (as in 

the previous proof) to infer that Yb' = and Ya' = • Also g"" ,g^ G unique^g. 
Since the strands compute the same session key. 

We also know that none of these parameters can be replaced by a compound ex- 
pression, since they are independently chosen on regular strands. Moreover, none 
of X, y, x' , y' can equal any of a, b, a' ,b' , as g^,g^,g^ , g^ are uniquely originating, 
on initiator or responder strands. The exponentials of the latter all originate on 
certificate request strands. 

Moreover, if a; = y, then si = S2, so A — A' and B = B' , and authentication 
is assured. So assume x ^ y. 

We compute indicators for the four monomials on each side of Eqn. 12, as 
shown in Table 4. We use as basis the non-originating parameters a, &, a:, y, x' , y', 
in this order. Since we do not know whether the primed variables equal their 
unprimed counterparts, there are undetermined entries (?) in the indicator vec- 
tors; an integer or 1 shows the definite presence or absence of a parameter. 

In the table, every vertically aligned pair is compatible, i.e. we can fill in the 
undetermined entries so as to make the vectors agree. Moreover, if two vectors 
are not vertically aligned, they are incompatible. For instance, the rightmost 
entries have Os for all the slots for ephemeral parameters, which put them in 
conflict with all of the other vectors. 

Hence, xy' = x'y,. . . , ab' = a'b. Since each of these is a parameter, and not 
compound, we have x = x',y = y',a = a', b — b'. Applying Cor. I, A — A' and 
B = B'. 

Turning now to MQV: 

Theorem 17. MQV achieves weak implicit authentication. 

Proof. Let si,S2 be strands in 23 as in the weak implicit authentication goal, 
where also a, b, a' G non^ and Ya' = g'^ ■ Here the starting point is weaker than 
in CF, since we do not know that Rb'-, Ra' originate on regular strands; we know 
only that they are group elements, so of the form g^,g^, resp., for ijj, rj : NZE. 
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xri ar^lg^] xl3[g^] a/Sn'^] 

/? ? ? 1 ?\ /I ? ? ? ?\ /? ? ? 1 ?\ /I ? ? ? ?\ 

(?,?,?,?,!) (?, ?,!,?,?> {?,!,?, 0,1) (?,1,1,0,0) 
^b[gy] a'y[g^] a'b[gy][g^] 

Table 5. Indicator vectors for MQV weak authentication 



Likewise, Yb', having been certified, is some group element g" . Since si, S2 yield 
the same key, we have: 

_ giiy . g-^b[9^] . gO-'vla'''] . gO.'b[g^][g'^] 

An adversary strategy for solving this consists of an assignment of possibly 
compound expressions to the Greek letters ?/',7y,/3. The adversary wins if both 
sides of this equation reduce to the same normal form, but without forcing 
A = A'. 

We write the indicator vectors for this in Table 5, relative to the basis 
(a,a' ,b,x,y), all in non. There are many entries ?, because we do not know 
whether a = a', or what the adversary incorporated into the Greek letters /3, 77, "0. 
Nevertheless, the lower right entry has for the x slot, so it cannot equal the 
first or third entry in the first row, in which the x slot is 1. This leaves two 
possibilities, the second and fourth terms. 

In these terms, the a slot is 1. Thus, either a' = a or 5 = a. If a' = a, we may 
apply Cor 1. 

So assume a' ^ a and 6 = a. If we choose term 2, i.e. a'b[gy][g'^] = arjlg^], 
then 77 = a'r, where r is the ratio of boxed terms. Turning to the term xr], we 
have xrj — xa'r, i.e. its y and b slots are 0. Thus, it cannot equal any of the 
monomials on the RHS. 

Choosing term 4, a'6[(7^] [g"^] — a(3[g^][g^], then /3 = a'r, where r is a ratio of 
boxed values. But since (3 was certified, we can apply Cor 1 to infer that /3 — a' . 
Plugging in, we now have a'y[g'^'] with indicator (0,1,0,0,1). Since xl3[g''] has 
indicator (0, 1,0, 1,0), there is no term in the top row that a'y[g^] can match. 

Kaliski ] showed implicit authentication does not hold for MQV. An adver- 
sary, observing A's ephemeral public value Ra — 5^, may generate a new Re 
depending on Ra and Ya — g"', and then a new long-term Ye'. 

Re ^ 9"" ■ {gn^^'^^ ■ 9-' YE = g^''-^'\ (13) 

Thus, Re — g^+^Is . The adversary asks CA to certify Ye, successfully proving 
possession of [Re]~'^- This is compatible with our assumptions as Ind(a) (Ye) = 0. 

E's operations cancel out, so the certificate misleads B into thinking K is 
shared with E, when it is shared with A. A mischievous priest E can cause a 
criminal B to believe K shared with E, when it fact it is shared with the district 
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attorney A. E can thus induce B to misdeliver a confession to A, leading to an 
unexpected plot twist in Hitchcock's movie with Montgomery Clift [24]. 

Definition 7. Strands s, d with parameters [. . . , a, x, . . .] and [. . . , Ya, Ra] are 
a doping pair if x appears in Ya ■ 

Bundle respects ephemerals if no doping pair in yields a shared key K . 

Doping, which [ ] uses, is not visible to the principal executing d. We mention 
below a way to prevent it. 

Theorem 18. Suppose 23 is an MQV bundle that respects ephemerals. Then H 
satisfies (full) implicit authentication. 

Proof. Let si,S2 be strands in 23 as in the implicit authentication goal, where 
a,b £ nons and Ya' — g",YB' ~ g^, for a, (3 : NZE. Rb',Ra' are group 
elements of the form resp., for : NZE. Since si,S2 yield the same 

key, 

By Cor. 1, either a = a or a = 6 or Ind i^a,b){oL) — 0. Likewise, either /3 = a or 
/3 = 6orInd(,,i,)(^) =0. 

If both a, 13 G {a, b}, then we have a case of weak authentication from both 
sides, so Thm. 17 gives the desired result. Assume then that at least one, e.g. a, 
has Ind^„ ;,^(a) = 0. Since 23 respects ephemerals, (si,S2) is not a doping pair, 
and (s2,S2) is not a doping pair, so x,y are syntactically absent from a. So in 
fact lnd(^a,b,x,y){oi) = 0. By Equation 14 

xv + a7j[g-]+xp[g^]+a/3[g'-'][g^] 
= ipy + tpb[9^] + ayig"^] + ab[gy] [5'^] 

The Greek letters may be compound expressions. Thus, ay[g'^] and a6[(7^] [g'''] 
may each yield a number of monomials when reduced to normal forms. However, 
because a has indicator 0, and the boxed terms have indicator 0, monomials 
resulting from ay[g'^] all have indicator (0,0,0,1). Monomials resulting from 
ab[gy][g'''] all have indicator (0,1,0,0). 

When the LHS normalizes, no monomial on the LHS can have indicator 
(0, 1, 0, 0) or (0, 0, 0, 1) because each one has a factor of x or a. So, the last two 
summands on the RHS cannot contribute any monomials to the normal form. 

By Lemma 2, the LHS has non-zero contributions of a and x. Hence, tp must 
have non-zero contributions of them. 

We write ip as the sum ip = ipnz + "00 j where ipnz collects all the monomials 
in ip with non-zero indicators, and ipo collects all those with indicator 0. 

In particular, ^oy must cancel ay[g^], and ipob[g^] must cancel a&[(?''][(7'^]. 
Each of these leads to the conclusion: 

-(0o/[5l) = «■ (15) 
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Hence the normal form of t/jQ must be some ¥'[5'''], so that [g^], which has 
occurrences of x, can syntacticahy canceL Hence, the normal form of "0 is 



contradicting the well-foundedness of the syntactic terms. 

The preceding analysis sheds some light on Kaliski's attack (13) on MQV. There, 
equation 15 holds with -00 = —1 and a — [g"^]^^- However, we here have the 
additional assumption above that 23 respects ephemerals: since si,S2 is not a 
doping pair, a can have no occurrence of x, but as we have observed, ijj must. 

The interesting approaches to preventing the Kaliski attack — that is, to en- 
sure that executions respect ephemerals — involve time and causality. Suppose 
that the CA always takes at least a minimum time tc between receiving a certi- 
fication request and issuing the certificate. Moreover, the initiator always times 
out and discards a session if it does not complete within a period i/, where 
tj < tc- For instance, if Tc is an hour and tj is a half hour, this approach 
would be practically workable. No synchronization between different principals 
is required for this, since each participant makes purely local decisions about 
timing. Non-malicious sessions would be entirely unaffected. Then, in any com- 
pleted session, no certified value can involve an ephemeral in that session, since 
it cannot yet have been generated at the time the value was certified. 

9 Uniform Equality and the Completeness of AG" 

In this section we justify the use of AG", specifically the use of AG"-normal 
forms to model messages. Any theorem of AG" surely holds in all DH-structures. 
Theorem 19 gives us the converse, namely that every equation that holds in all 
DH-structures is a theorem of AG". Indeed, given a non-principal ultraflter D 
over the set of primes, there is a single structure Md that is "generic" for all of 
the DH-structures: An equation s = i is valid in if and only if it is valid in 
infinitely many DH-structures. 

We work first with models of the language of AG" but with the [■] removed 
from the signature. They have all the structure required to analyze UM and CF. 
We then extend our results to DH-structures equipped with a [•] function. 

Algebraically isomorphic structures can have very different computational 
properties. Indeed, the prime field presented as the group of integers mod q 
induces a DH-structure where the base group is the additive group of and 
exponentiation is multiplication. The discrete log problem in this structure is 
computationally tractable. However, F^ is isomorphic to a subgroup of order q of 
the multiplicative group of integers modulo some prime p. There, the discrete log 
problem may be intractable. Although the algebra is blind to the computational 
distinctions, we focus here on the algebraic equations between terms in DH- 
structures. 

First, we show that the field of scalars, i.e. the exponents, carries all the 
algebraic information in a model of AG". 
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Definition 8. Let F be a field. We construct a [■]-free model "Mp of theory AG" 
as follows. The sorts E and G are each interpreted as the domain of F ; the 
sort NZE is interpreted as the set of non-0 elements of E . The operations of 
E are interpreted just as in F itself. The operation ■ is taken to be + from E, 
thus 1 and inv are taken to be and — . Exponentiation is multiplication: a"^ is 
interpreted as a * e. 

For each field F, any Mi? satisfies all of the equations in AG". When F is the prime 
field of order q then JAp = is, up to isomorphism, precisely the standard 
DH algebra of order q. When F is the additive group of rational numbers then 
M-p = Mq will be of interest to us below. 

The key device for reasoning about uniform equality across DH-structures 
is the notion of ultraproduct, cf. e.g. [ ]. We let the variable D range over non- 
principal ultrafilters over the set of prime numbers. 

Definition 9. Let D be a non-principal ultrafilter over the set of prime num- 
bers and let ¥pi be the ultraproduct structure Yioi^i I 1 pi^ii^^}- ?^Fd '■s DH 
structure obtained from ¥]j via Definition 8. For simplicity we write JAp) for 

The crucial facts about ultraproducts for our purposes are: (i) a first-order 
sentence is true in an ultraproduct if and only if the set of indices at which it 
is true is a set in D\ (ii) when D is non-principal, every cofinite set is in D. We 
show below that the set of equations valid in M^) does not depend on which 
non-principal D we use. 

¥pi is a field, since each Fg satisfies the first-order axioms for fields. Vo has 
characteristic 0, since each equation 1 + 1 + .. .+ 1 = is false in all but finitely 
many Fg. Indeed, it is false in all but one Fg. 

Lemma 3. The structure Mq can be embedded as a submodel in any JAp). 

Proof. Since F^ has characteristic 0, and Q is the prime field of characteristic 
0, Q is embeddable in F^. The models Md and Q are definitional expansions of 
Vpi and Q, so the embedding of Q into ¥p extends to embed Mq into JAp. 

Lemma 4. Lett : G be in normal form, in the [-j-free sublanguage o/AG". There 
exists an environment rj : Vars — > Q such that if u and u' are distinct subterms 
oft, r){u) ^ r]{u') in Mq[D]. 

Proof. In the structure Mq, exponentiation is interpreted as multiplication, so 
it suffices to consider the expression obtained by replacing • and inv by + and 
— , and the exponentiation operator by * , and viewing t as an ordinary rational 
expression in several variables xi, . . . ,Xk (the variables occurring in t). We may 
view t as determining a real function /< : R'^ — R. In fact each subterm t' of t 
similarly determines a function from M.'' to M (not all variables of t will occur in 
all subterms, but we may still treat each as inducing a fc-ary function). So the 
family of subterms of t determines a (finite) set of rational functions, and we can 
find a rational point r = (ri, r^) such that no two of these functions agree on 
r. We define rj to map each Xi to r^. 
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Corollary 2. If s and t are distinct normal forms then it is not the case that 
Mq \=s = t. 

Proof. Form the term u = s ■ inv{t). Since s and t are distinct normal forms this 
term is in normal form. By Lemma 4 there is an environment rj with ry(s) ^ ri{t), 
and the result follows. 

AG" is complete for miiform equality in the absence of the [-J-function; 

Theorem 19. For each pair of G -terms s and t in the [-Yfree fragment of AG~, 
the following are equivalent 

1. AG'\- s = t 

2. For all q, Mf, |= s = t 

3. For all non-principal D, JAd \= s = t 

4- For some non-principal D, M_d \= s = t 

5. Mq \= s^t 

6. if s reduces to s' with s' irreducible, and t reduces to t' with t' irreducible, 
then s' and t' are identical modulo associativity and commutativity of ■ , +, 
and * . 

Proof. It suffices to establish the cycle of entailments 1 implies 2 . . . implies 
6 implies 1. The first three of these steps are immediate, as is the fact that 6 
implies 1. The fact that 4 implies 5 follows from Lemma 3. To conclude 6 from 
5, use Corollary 2. 

As a corollary of Theorem 19, these equivalences hold for i?-term equations as 
well. Given terms e and e', form the equation 5*^ = 5*^ . It is provable iff e = e' 
is provable, and is true in a given model M iff e = e' is. 

Corollary 3. //Mp s — t holds for infinitely many q, then for all q, Mf |= 
s = t. " 

Proof. Suppose that {q: Mf ^ s = i} is infinite. Then there is a non-principal 
ultrafilter D containing this set. So (4) in Thm. 19 holds, and we apply (4)=4>(2). 

The equivalence of AG"-provability with equality in the models is the technical 
core of our claim that AG" captures "uniform equality." 

The model Mq is convenient: this single model, based on a familiar structure, 
serves to witness uniform equality simplifies analyses. Our first analysis of MQV 
used this. 

The model JAjj satisfies an even more striking property. It follows from results 
of Ax [3] that the first-order theory of M_d is decidable. So the structure Md is 
an attractive one for closer study of the "uniform" properties of DH-structures. 

Incorporating [•]. An analogue of Theorem 19 holds for the full language of 
AG", the language appropriate for reasoning about MQV. The starting point is 
like Lemma 4. 
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Lemma 5. Let t : G be in normal form, in the language of AG' . There exists 
an interpretation of the [■] function and an environment 77 such such that if u 
and u' are distinct subterms oft, rj{u) ^ ri{u') in Mq. 

Proof. The proof is by induction on the number of [-J-subterms of t. If this 
number is then we may apply Lemma 4 and simply use the following simple 
[•] function: [a] = a if a 7^ and [0] = 1. 

Otherwise let [s] be a subterm of t such that s is [-J-free. Let t' be the term 
obtained from t by replacing each occurrence of [s\ by a variable v occurring 
nowhere in t. Then t' is in normal form, so by induction there is a function [-Jo 
and an environment rj that acts as an injection over the subterms of t' . We may 
assume that 77 is defined on all the variables of t (even though some may not 
occur in t'). We claim that we can define [•] so that the resulting function, taken 
with the same environment 77 satisfies the Lemma. We define [•] to agree with 
[•]o on all values except 77(5), where we put [77(5)] — rjiv). Since rj is guaranteed 
to yield different values on distinct subterms of t' , the use of [-Jo will yield the 
same values as the use of [•] on subterms of t other than [s\. 

By an argument similar to that establishing Corollary 2 we obtain 
Corollary 4. AG" h s = < iff for all [■] functions Mq \= s = t. 
From this follows, finally: 

Theorem 20. For each pair of G -terms s and t in the full language of AG~ the 
following are equivalent 

1. AQ"^ s = t 

2. For all q and all [■] functions on My , Mp \= s = t 

3. For all non-principal D, for all [■] functions onlilu, ^ s = t 

4- For some non-principal D, and all [■] functions on Jdu, \= s = t 

5. for all [■] functions on Mq, Mq \= s = t 

6. if s reduces to s' with s' irreducible, and t reduces to t' with t' irreducible, 
then s' and t' are identical modulo associativity and commutativity of ■ , +, 
and * . 

Proof. As for Theorem 19 we can establish a cycle of entailments. The non-trivial 
changes to the arguments presented for Theorem 19 are 

— to conclude 5 from 4 now, we observe that given a [-J-function on Mq that 
entails Mq \= s ^ t we can, via the embedding of Mq into Md , construct a 
[•]-function on M^ such that M^i \= s ^t, and 

— to conclude 6 from 5 now, we use Corollary 4. 

10 Conclusion and Related Work 

Related Work. Within the symbolic model, there has been substantial work 
on some aspects of DH, starting with Boreale and Buscemi [7], which provides 
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a symbolic semantics [1,18,32] for a process calculus with algebraic operations 
for DH. Their symbolic semantics is based on unification. 

Indeed, symbolic approaches to protocol analysis have relied on unification as 
a central part of their reasoning. Goubault-Larrecq, Roger, and Verma [2U] use a 
method based on Horn clauses and resolution modulo AC, providing automated 
proofs of passive security. Maude-NPA [16,17] is also usable to analyze many 
protocols involving DH, again depending heavily on unification. 

All of these approaches appear to face a fundamental problem with a theory 
like the AG" theory of Section 9, in which it would be unwise to rely on the 
decidability of the unifiability problem. Unifiability is undecidable in the the- 
ory of rings, essentially by the unsolvability of Hilbert's tenth problem. There 
are, however, many related theories for which undecidability is not known, for 
instance the diophantine theory of the rationals [4]. 

Kiisters and Truderung [29] finesse this issue by rewriting protocol analysis 
problems. The original problems use an AC theory involving exponentiation. 
They transform it into a corresponding problem that does not require the AC 
property, and so can work using standard ProVerif resolution [(!]. Their approach 
covers a surprising range of protocols, although, like [10], not iadh protocols such 
as MQV or CF. 

Another contrast between this paper and previous work is the uniform treat- 
ment of numerous security goals. Our methods are applicable to confidentiality, 
authentication, and further properties such as forward secrecy. 

Our adversary model is active. For passive attacks, there has been some work 
on computational soundness for Diffie-Hellman, with Bresson et al. [ ] giving an 
excellent treatment. 

Conclusion and Future Work. In this paper, we have applied the strand 
space framework to iadh protocols, such as UM, CF, and MQV, establishing 
about a dozen security properties of them. While all of them have been previously 
claimed, few have been proved in as informative a way as we do here. Moreover, 
our proofs rely on a few fundamental principles that can be easily applied. They 
combine rewriting techniques and the indicator idea. 

We also provided a deeper model-theoretic treatment that justifies our rewrit- 
ing theory with respect to an adversary model. Our adversary can use any al- 
gebraic facts that are true in all but finitely many DH-structures. Since other 
cryptographic primitives such as bilinear pairings are built by enriching DH- 
structures, it is highly desirable to have proof techniques that work in this rich 
algebraic framework. 

Connecting this with the standard computational model remains for future 
work. In our model the adversary must choose its whole strategy before seeing 
the concrete messages for a particular run, or even knowing the prime q. This 
raises the question of the computational soundness of our approach, a focus 
of future research: Does the Decisional Diffie-Hellman assumption ensure that 
the adversary gets no asymptotic advantage from knowing q and the concrete 
messages? 
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Our proofs here are handcrafted. However, we are currently pursuing an 
approach using model-finding in geometric logic, a generalization of Horn logic, 
which offers great promise for mechanizing many of these conclusions. 
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